This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSL decryption help?

0

I'm having problems making SSL decryption work.

I'm running wireshark 1.6.2

Compiled (64-bit) with GTK+ 2.24.6, with GLib 2.29.92, with libpcap 1.1.1, with
libz 1.2.3.4, with POSIX capabilities (Linux), without libpcre, with SMI 0.4.8,
with c-ares 1.7.4, with Lua 5.1, without Python, with GnuTLS 2.10.5, with Gcrypt
1.5.0, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built Jul 27
2011 11:52:20), without AirPcap.
Running on Linux 3.0.0-20-generic, with libpcap version 1.1.1, with libz
1.2.3.4, GnuTLS 2.10.5, Gcrypt 1.5.0.

I have a self signed certificate generated with java keytool. I have extracted and converted the private key with the help of http://rubenlaguna.com/wp/2007/06/29/inspecting-tomcat-https-connection-with-wireshark/index.html/

I have updated wireshark preferences so I have:

ssl.desegment_ssl_records: TRUE
ssl.desegment_ssl_application_data: TRUE
ssl.keys_list: 127.0.0.1,8443,http,/tmp/cert.rsa.key
ssl.debug_file: /tmp/ssl.log

When starting the ssl.log file says:

Private key imported: KeyID 96:8b:93:2b:cb:26:7e:d1:b1:1f:18:d0:22:ba:13:6b:...
ssl_init IPv4 addr '127.0.0.1' (127.0.0.1) port '8443' filename '/tmp/cert.rsa.key' password(only for p12 file) ''
ssl_init private key file /tmp/cert.rsa.key successfully loaded.
association_add TCP port 8443 protocol http handle 0x7fa335b09560

So it looks like the configuration is all OK

I capture a simple HTTP GET request, but it cannot decode the data. It recognises SSL as the protocol and offers "Follow SSL Stream", but all I get is 0 bytes in the resulting dialog.

Below is the rest of the ssl.log:

dissect_ssl enter frame #4 (first time)
ssl_session_init: initializing ptr 0x7fa321c13d90 size 680
  conversation = 0x7fa321c13880, ssl_session = 0x7fa321c13d90
  record: offset = 0, reported_length_remaining = 180
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 175, ssl state 0x00
association_find: TCP port 41462 found (nil)
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 1 offset 5 length 171 bytes, remaining 180
packet_from_server: is from server - FALSE
ssl_find_private_key server 127.0.0.1:8443
dissect_ssl3_hnd_hello_common found CLIENT RANDOM -> state 0x01

dissect_ssl enter frame #6 (first time)
conversation = 0x7fa321c13880, ssl_session = 0x7fa321c13d90
record: offset = 0, reported_length_remaining = 86
dissect_ssl3_record found version 0x0301 -> state 0x11
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 81, ssl state 0x11
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 2 offset 5 length 77 bytes, remaining 86
dissect_ssl3_hnd_hello_common found SERVER RANDOM -> state 0x13
ssl_restore_session can't find stored session
dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC011


dissect_ssl enter frame #8 (first time)
conversation = 0x7fa321c13880, ssl_session = 0x7fa321c13d90
record: offset = 0, reported_length_remaining = 6
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - TRUE
ssl_change_cipher SERVER
dissect_ssl enter frame #10 (first time)
conversation = 0x7fa321c13880, ssl_session = 0x7fa321c13d90
record: offset = 0, reported_length_remaining = 41
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 36, ssl state 0x13
packet_from_server: is from server - TRUE
decrypt_ssl3_record: using server decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 112 offset 5 length 12449696 bytes, remaining 41


dissect_ssl enter frame #12 (first time)
conversation = 0x7fa321c13880, ssl_session = 0x7fa321c13d90
record: offset = 0, reported_length_remaining = 47
dissect_ssl3_record: content_type 20
dissect_ssl3_change_cipher_spec
packet_from_server: is from server - FALSE
ssl_change_cipher CLIENT
record: offset = 6, reported_length_remaining = 41
dissect_ssl3_record: content_type 22
decrypt_ssl3_record: app_data len 36, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
dissect_ssl3_handshake iteration 1 type 172 offset 11 length 2369652 bytes, remaining 47


dissect_ssl enter frame #13 (first time)
conversation = 0x7fa321c13880, ssl_session = 0x7fa321c13d90
record: offset = 0, reported_length_remaining = 407
dissect_ssl3_record: content_type 23
decrypt_ssl3_record: app_data len 402, ssl state 0x13
packet_from_server: is from server - FALSE
decrypt_ssl3_record: using client decoder
decrypt_ssl3_record: no decoder available
association_find: TCP port 41462 found (nil)
association_find: TCP port 8443 found 0x7fa336522040

I’m not sure why it says no decoder available?

What else am I missing???

asked 02 Jul ‘12, 03:41

gregory_j_wilkins's gravatar image

gregory_j_wi…
6113
accept rate: 0%

edited 02 Jul ‘12, 03:58

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

dissect_ssl3_hnd_srv_hello can't find cipher suite 0xC011

Cipher suite 0xC011 (TLS_ECDHE_RSA_WITH_RC4_128_SHA) uses DH (Diffie Hellman) to generate the session key. Unfortunately, you cannot decrpyt that with Wireshark. Please configure your SSL client to use only cipher suites without DH.

Regards
Kurt

answered 02 Jul '12, 04:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt - that was it. I went to about:config, searched for SSL and then disabled anything with "DH" in the cipher name.

(02 Jul '12, 05:55) gregory_j_wi...